Virtualización

Apolinar GonzálezAlfons Crespo

2

OUTLINE

Introduction Virtualisation techniques Hypervisors and real-time TSP Roles and functions Scheduling issues Case study: XtratuM

3

Conceptos previos

Máquina virtual (VM): software que implementa una máquina (computadora) como el comportamiento real.

Hipervisor (también virtual machine monitor VMM) es una capa de software (o combinación de software/hardware) que permite ejecutar varios entornos de ejecución independientes o particiones en un computador.

Partición: Entorno de ejecución de programas. Ejemplos: Linux + aplicaciones; un sistema operativo de tiempo real + tareas; …

4

Conceptos previos

Hypervisor

Partition

5

INTRODUCTION: Isolation

Temporal isolation refers to the system ability to execute several executable partitions guaranteeing:

• the timing constraints of the partition tasks • the execution of each partition does not depend on the temporal behaviour of other partitions.

The temporal isolation enforcement is achieved by means of a scheduling policy:

• Cyclic scheduling, the ARINC 653• Periodic Priority Server• EDF Server• Priority

6

PARTITIONED SYSTEMS

Temporal Isolation:

P1P1 P1P1 P2P2P2P2 P2P2 P2P2P3P3

MAF (Major Frame)

Slot (temporal window)Origin relative to MAF

duration

Slot id = 3 start = 400ms duration = 100 partition: P1P1P1

Execution

MAF 1 MAF 2 MAF 3 MAF 4

7

INTRODUCTION: Isolation

Spatial isolation refers to the system ability to detect and avoid the possibility that a partition can access to another partition for reading or writing.

The hardware shall provide some mechanisms to guard against violations of spatial isolation.

The spatial isolation property states that data processing in any partition can not access to any memory address outside of the its address memory region.

8

PARTITIONED SYSTEMS

Space Isolation:

Memory

P3P3

P2P2

P1P1

XtratuM

XtratuM

Memory

P3P3

P2P2

P1P1

XtratuM

XtratuM

P3P3

P2P2

P1P1

XtratuM

XtratuM

P3P3

P2P2

P1P1

XtratuM

XtratuM

9

INTRODUCTION: Benefits

Hardware independence: The hypervisor can implement virtualised hardware (legacy or not available hw).

OS/RTOS: several OS can be executed on the same hardware.

Security: divide complex applications in clearly isolated parts according to the security/criticallity requirements.

Reuse of legacy code: Mix the old (but well tested and validated) code jointly with new new services and applications.

IP protection: Use applications with different/incompatible licenses.

Multicore migration: No need to change the RTOS to get all the power of the new multicore processors.

10

Partitioned systems

Partitioned sytems are integrated by several “isolated” partitions

Each partition has its own runtime (guest OS) and its application

Partitioned systems involve a change in thinking from physical to logical, considering system resources as logical resources rather than separate physical resources.

11

INTEGRATED MODULAR AVIONICS: IMA

The IMA concept proposes an integrated architecture with application software portable across an assembly of common hardware modules. An IMA architecture imposes multiple requirements on the underlying operating system.

AppLevel

A

AppLevel

A

RTOS

RTOS

HWHW

AppLevel

C

AppLevel

C

RTOS

RTOS

HWHW

AppLevel

B

AppLevel

B

RTOS

RTOS

HWHW

AppLevel

A

AppLevel

A

RTOS

RTOS

AppLevel

C

AppLevel

C

RTOS

RTOS

HWHW

AppLevel

B

AppLevel

B

RTOS

RTOS

Federated architectureIntegrated Modular Avionics

12

INTEGRATED MODULAR AVIONICS IMA

IMA design brings in the notion of time, space and resource partitioning. IMA architecture contains:

• A partitioning kernel that runs in supervisor mode and provides TSP and a set of services. • Within each partition, the applications execute in user mode completely isolated from other applications. • The operating system makes each application behave as if it has exclusive use of the platform when, in fact, it is sharing the platform with many other applications.

13

PARTITIONED SYSTEMS

ARINC-653 (Avionics Application Standard Software Interface) is an industrial avionics standard published by Aeronautical Radio.

It is a software specification for space and time partitioning in Safety-critical avionics real-time operating systems. It delivers a set of services and functionalities to host multiple applications of different software levels on the same hardware in the context of a Integrated Modular Avionics architecture.

Each application is an entity called partition.

14

PARTITIONED SYSTEMS

ARINC-653 defines an API called APplication EXecutive (APEX) for space and time partitioning. • Space: Each partition has a separate address space and can not access (read or write) to other address spaces. This mechanism isolates partition memory and prevents access to other partitions. • Time: Each partition is scheduled according to a static cyclic scheduling plan. The plan is reapeated at the plan duration (ma jor frame, MAF) rate. Time isolation means that a partition execution does not depend on the others. In other words, an error in a partition does not affect other partitions.

15

PARTITIONED SYSTEMS

ARINC 653 provides the following services through its API at two levels:

•Partitioning level• Partition Management • Time Management • Interpartition Communication: Partitions can communicate through specified ports and channels supervised by the kernel. • Health Monitoring

• Partition level• Process Management• Intrapartition Communication

16

Example

UserInterface

Apps.

UserInterface

Apps.

GPOSGPOS

Remote

Access service

s.

Remote

Access service

s.

SecureOS

SecureOS

HW

Basic Contro

lLogic

Basic Contro

lLogic

RTOSRTOS

VirtualiserVirtualiser

System Manage

ment

System Manage

ment

RTSRTS

Basic Contro

lLogic

Basic Contro

lLogic

RTOSRTOS

Several replicas

17

Example

UserInterface

Apps.

UserInterface

Apps.

GPOSGPOS

Remote

Access service

s.

Remote

Access service

s.

SecureOS

SecureOS

HW

Basic Contro

lLogic

Basic Contro

lLogic

RTOSRTOS

VirtualiserVirtualiser

System Manage

ment

System Manage

ment

RTSRTS

Basic Contro

lLogic

Basic Contro

lLogic

RTOSRTOS

System Container

Par.1

Par.2

Par.3

Dynamically to upgrade partitions

18

Example

UserInterface

Apps.

UserInterface

Apps.

GPOSGPOS

Remote

Access service

s.

Remote

Access service

s.

SecureOS

SecureOS

HW

Basic Contro

lLogic

Basic Contro

lLogic

RTOSRTOS

VirtualiserVirtualiser

System Manage

ment

System Manage

ment

RTSRTS

Basic Contro

lLogic

Basic Contro

lLogic

RTOSRTOS

Perform a system analysis and decide to - Restart/stop/reload a partitions

Log-stream

Health MonitorLogstream

19

Example

UserInterface

Apps.

UserInterface

Apps.

GPOSGPOS

Remote

Access service

s.

Remote

Access service

s.

SecureOS

SecureOS

HW

Basic Contro

lLogic

Basic Contro

lLogic

RTOSRTOS

VirtualiserVirtualiser

System Manage

ment

System Manage

ment

RTSRTS

Basic Contro

lLogic

Basic Contro

lLogic

RTOSRTOS

Health MonitorLogstream

Certified

20

Example

UserInterface

Apps.

UserInterface

Apps.

GPOSGPOS

Remote Access

services.

Remote Access

services.

SecureOSSecureOS

HW

Basic Contro

lLogic

Basic Contro

lLogic

RTOSRTOS

VirtualiserVirtualiser

System Manage

ment

System Manage

ment

RTSRTS

Basic Contro

lLogic

Basic Contro

lLogic

RTOSRTOS

Certified

No need of new certification

21

OVERVIEW

XtratuM is a hypervisor (bare-metal) designed to meet safety critical real-time requirements

Uses para-virtualisation techniques Strong temporal isolation: fixed cyclic scheduler Strong/partial spatial isolation: every partition is

executed in processor user mode, and does not share memory. Without MMU read operations cannot be protected (very high cost)

Robust communication mechanisms (ARINC sampling and queueing ports)

Robust error management via the Health-Monitor Devices can be directly managed by partitions. Shared

devices can be organised in a IOServer All resources are allocated via a Configuration Table (XML) Tracing facilities

22

ARCHITECTURE

23

XTRATUM APPROACH

The approach followed in XtratuM A clear separation for the low level services

(hypervisor level) from the application services It deals with the services related to partitions

(strong achievements of isolation properties) It does not define how the partition shall work Partition can allocate different OSes (real-time,

secure, general-purpose) which facilities the integration of software from multiple providers

Enforces the roles of the integrator and developers

24

INTRODUCTION

It provides virtual machines (VM) to execute applications in partitions.

XtratuM manages partitions and is aware of the partition nature.

Partitions can be: • A single thread application as a bare partition on top of TOE.• A multi-thread application developed on top of a RTOS. The RTOS needs to be para-virtualised to be executed on top of the TOE. The para-virtualisation guarantees that the RTOS can not use directly the system resources and requires to use the services provided by the TOE to use the virtualised resources.• A general purpose operating system (Linux). It has to be paravirtualised.

25

ARCHITECTURE

Partitions can be: Single thread partition. Para-virtualised, no

internal overhead, low overhead (hypervisor)

#include <xm.h>#include ”std_c.h"

void PartitionMain(void) { unsigned long counter=0; int dec, frac; float f=0.0;

while(1) { counter++; f=(float)counter*(3.0/7.0); if (!(counter%10000)) { xprintf("%d.%d\n", dec, frac); } if (counter==300000) { XM_halt_partition(XM_PARTITION_SELF); } }}

26

ARCHITECTURE

Partitions can be: Single thread partition. Para-virtualised, no

internal overhead, low overhead (hypervisor) Multi thread partition based on cyclic

scheduling. Para-virtualised, no internal overhead, low overhead (hypervisor)

#include "../extras/std_c.h"#include <xm_glib.h>

void event_handler(int irqnr) { XM_unmask_event(XM_HWTIMER_EVENT); next_period = 1;}void task1(void) {......}void task2(void) {......}

void PartitionMain(void) { xm_time secondaryCycle = .....;

int MAF = ....;int nSlot = ....;

XM_get_time(XM_HW_CLOCK, &current_clock); XM_set_timer(XM_HW_CLOCK, current_clock, secondaryCycle);

XM_enable_irqs();XM_unmask_event(XM_HWTIMER_EVENT);

nSlot = 0; while (1) { switch (nSlot) { case 0: task1(); task2(); break; case 1: task1(); task3(); break;

………… default : break;

} nSlot++; if (nSlot == 4) nslot = 0;

while (next_period == 0); //Waits next timer event next_period = 0; }}

27

DEVELOPMENT ENVIRONMENTS

XAL (XtratuM Abstraction Layer) TSPAL (Temporal and Spatial

Partitioning Abstraction Layer) PartiKle Lithos RTEMS OSEK Linux

Android Meego

28

DEVELOPMENT ENVIRONMENTS

XAL (XtratuM Abstraction Layer) XAL is a developing environment to

create plain ``C'' applications. It is provided jointly with the XtratuM core.

It provides the libraries and scripts to compile and link a ``C'' application.

Libraries: stdio, math, …. It permits to execute single thread “C”

programs as partitions

29

DEVELOPMENT ENVIRONMENTS

LithOS It is a para-virtualised guest operating

system which uses the services provided by XtratuM to offer the complete ARINC-653 APEX to the applications.

It provides the following services Partition Management Interpartition communication Process Management Intrapartition communication Time Management Health Monitor Multiple scheduling (extended services) Non portable services

30

LITHOS

Services

Low footprint < 64KB.

+ Other services (non portable) to permit to stop/reset/suspend/resume other partitions or access to system information: start of the slot, slot identification, …

31

DEVELOPMENT ENVIRONMENTS

RTEMS RTEMS 4.8.1 has been para-virtualised to be

executed as partition on top of XtratuM Two new BSP has been defined: xm2leon2 /

xm3leon3 IRQ management, clock management, …..

Conceptual problem with time during the time the partition is not scheduled. Two approaches: Clock reference is the system clock (ARINC653). Ticks are

accumulated at the beginning of the partition (this is the implemented option). Delays and Periods are relative to the hardware clock.

Clock reference is the partition execution time. Delays

and Periods are relative to the execution clock.

32

ARCHITECTURE

Partitions can be: Single thread partition. Para-virtualised, no

internal overhead, low overhead (hypervisor) Multi thread partition based on cyclic

scheduling. Para-virtualised, no internal overhead, low overhead (hypervisor)

Multi thread partition (rtos). RTOS (PartiKle, RTEMS, ORK) need to be para-virtualised. Applications do not need modifications. Additional internal overhead (thread context switch) + low overhead (hypervisor).

33

PARTITIONS

Partition: Execution Environment (EE) managed by the hypervisor which uses the virtualised services

Limited by the amount of memory and CPU usage

Performance is not affected by the number of partitions

Two kinds of partitions: user and supervisor

Supervisor partitions can use some specific services

34

SYSTEM CONFIGURATION

The system resources and the information flows are defined in the configuration file: XM_CF. It specifies:

The hardware: Processor, memory available and devices

Resident software Hypervisor Partitions Communication channels ….

35

SCHEDULING

Temporal partitioning Scheduling policy based on ARINC-653 cyclic

scheduling Parameters: Major Frame (MAF) and slots

Slots are defined using an offset with respect to the MAF and a duration

Number of slots does not affect to the performance Multiple schedule: several plans can be

defined. plan 0: Initialisation plan 1: Maintenance plan2: Normal ……

36

SCHEDULING

Temporal partitioning: Example

37

MEMORY ALLOCATION

Spatial partitioning MMU/MPU Write protection mechanism Read protection cannot be achieved without specific

hardware support. Too expensive cost (full emulation via code analysis).

Partitions are allocated at specific memory addresses (XML)

38

COMMUNICATION

Inter-partition communications Two basic mechanisms:

Sampling ports: support for broadcast, multicas and unicast messages

Queueing ports: support for buffered unicast communication between partitions. Messages are delivered in FIFO order

Channels are the link between ports

39

COMMUNICATION

40

TIME MANAGEMENT

Clock and timers are virtualised to the partitions

Hw clock: associated with the native hw clock. Resolution 1usec

Execution clock: associated with the execution of the partition. This clock is only enabled when the partition is being executed. Resolution 1 usec

Timer based on the HW clock. Resolution 1usec Timer based on the Execution clock. Resolution

1usec

41

IO MANAGEMENT

IO Access IO devices are directly handled by a partition

(specified in the XML) XtratuM permits the access to the IO ports Only one partition can access to a IO port

42

INTERRUPT MODEL

43

HEALTH MONITOR

Health Monitoring Health Monitor discovers the errors and tries to

solve or confine the faulting subsystem in order to avoid or reduce the possible consequences (enforcing isolation).

44

HEALTH MONITOR

The XtratuM Health Monitor system is composed of four logical blocks:

HM event detection: to detect abnormal states, using logical probes in the XtratuM code.

HM actions: a set of predefined actions to recover the fault or confine the error.

HM configuration: to bind the occurence of each HM event with the appropriate HM action.

HM notification: to report the occurrence of the HM events.

Three event sources: Hardware: generated by the resources XtratuM: assertion results (probes) included in the code Partition: generated by the partition as result of an internal state

evaluation

45

HEALTH MONITOR

46

SERVICES

Services are provided via hypercalls

47

CONFIGURATION AND DEPLOYMENT

System Configuration System configuration file (XML)

48

DEPLOYMENT SNAPSHOOT

49

CONFIGURATION AND DEPLOYMENT

50

CONCLUSIONS

Virtualisation techniques based on Hypervisors are the most appropriated solutions for partitioned systems

Paravirtualisation + dedicated devices is the best option for embedded/real-time systems

The benefits of Partitioned systems are fully achieved using virtualisation techniques

Bare metal Hypervisors achieve strong spatial and temporal isolation and security functions

Appropriated scheduling techniques are still needed for partitioned systems

51

CONCLUSIONS

XtratuM is a hypervisor that achieves excellent results in performance and security issues

It is being used in space to build TSP systems There is a need of tools to help the different

roles in the TSP development